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Victimology: Iran 




• Iranian MFA 

• Iran University of Science and Technology 

I * Atomic Energy Organization of Iran 
• Data Communications of Iran 

• Iranian Research Organization for Science Technology, 
Imam Hussein University 

• Malek-E-Ashtar University 
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Communications Security Centre de la s6curite 



• Five Eyes 

- Possible targeting of a French-language Canadian media 
organization 

• Europe 

- Greece 

• Possibly associated with European Financial Association 

- France 

- Norway 

- Spain 

• Africa 

- Ivory Coast 

- Algeria 
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Attribution: Binary Artifacts 




• ntrass.exe 

- DLL Loader uploaded to a victim as 
part of tasking seen in collection 

- I nternal Name: Babar 

- Developer username: titi 

• Babar is a popular French 
children’s television show 

• Titi is a French diminutive for 
Thiery, or a colloquial term for a 
small person 
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Attribution: Intelligence Priorities 




• Iranian science and technology 

- Notably, the Atomic Energy Organization of Iran 

- Nuclear research 

• European supranational organizations 

- European Financial Association 

• Former French colonies 

- Algeria, Ivory Coast 

• French-speaking organizations/areas 

- French-language media organization 

• Doesn’t fit cybercrime profile 
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La traque de Babar 

7 Pages - Contributed by Martin Untersinger , Le Monde - Mar 21, 2014 



C3EC l>. t) 

i*i srr J “ , *T c— . 

Le CSEG est Fagerra canadierme chargee dee telecommunicate ns [equivalent de la N&A, 



Victimologie <|p. 2 } 

VICTIMOLOGY 

Cette partie du document est dediee atw victims* du pregramme mformatiqu? sur lequel s'est penche le CSEC. 



Informations sensible^ ip 2'f 



Nous awns chrarsi de ne publier qUune partie du document sur lequel nous awns travaille oe dernier conte riant des 
informatbns. r&latk-es a une operation dt renrsegmmens potenrtiellemenrt encore en oours. 



Mimst-ere de£ altsires etrangeres iranien ip. 

Iranian MFA 



Medias canadieni (p, 4) 

- Possible targeting of a French -language Canadian media 
organization 

Des media seanad fens francophones pc-urraient faire partie des victinnes du programme mabeillant. 



Altri b ution (p. -5) 

ATTRIBUTION 

Les pages qti stive nt sent deslinees a determiner quise cache derriere "Snowglobe’ 



DLL i>. 6) 

DLL Loader uploaded to a victim as ' \ ' 

\l s'sgit fei d‘un programme, une compose nte de n Sfwvvgtobe" T oongu p ou etre insers dans Fordinateur de \a cihle 



Priorites (p. 7 ) 

Attribution: Intelligence Priorities 




Sif celte page, le C--5EC resume les cibles de "Snbowglobe" pour en faire apparaifcre les principal priories. 



